The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about active exploitation of **CVE-2025-5086**, a critical **remote code execution (RCE) vulnerability** in **DELMIA Apriso**, Dassault Systèmes’ Manufacturing Operations Management (MOM) and Execution (MES) solution. The flaw, a **deserialization of untrusted data** issue (CVSS v3: 9.0), affects all versions from **Release 2020 to 2025** and enables attackers to execute arbitrary code via malicious SOAP requests containing a **Base64-encoded, GZIP-compressed .NET executable**.Exploitation attempts were observed by **SANS ISC**, originating from IP **156.244.33[.]162**, likely automated scans. The payload, a Windows executable flagged as malicious, could disrupt **production scheduling, quality management, resource allocation, and warehouse operations**—critical functions in **automotive, aerospace, electronics, and industrial machinery sectors**. CISA mandated federal agencies to patch or discontinue use by **October 2**, urging global private organizations to follow suit. A successful attack could **halt factory operations, compromise process standardization, or disrupt supply chains**, posing severe operational and financial risks to dependent industries.
TPRM report: https://www.rankiteo.com/company/dassaultsystemes
"id": "das2092120091225",
"linkid": "dassaultsystemes",
"type": "Vulnerability",
"date": "6/2020",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Manufacturing Operations Management '
'(MOM)',
'Manufacturing Execution Systems (MES)'],
'location': 'France (Global Operations)',
'name': 'Dassault Systèmes',
'type': 'Software Vendor'}],
'attack_vector': ['Network',
'Malicious SOAP Requests',
'Base64-encoded GZIP-compressed .NET Executable'],
'customer_advisories': ['Dassault Systèmes Security Bulletin (Limited '
'Details)'],
'date_detected': '2025-06-02',
'date_publicly_disclosed': '2025-06-02',
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA) is warning of hackers exploiting a critical remote '
'code execution (RCE) flaw (CVE-2025-5086, CVSS v3: 9.0) in '
'DELMIA Apriso, a manufacturing operations management (MOM) '
'and execution (MES) solution by Dassault Systèmes. The '
'vulnerability, a deserialization of untrusted data issue, '
'allows RCE via malicious SOAP requests containing a '
'Base64-encoded, GZIP-compressed .NET executable. Exploitation '
'attempts were observed originating from IP 156.244.33[.]162, '
'likely linked to automated scans. CISA added the flaw to its '
'Known Exploited Vulnerabilities (KEV) catalog and mandated '
'federal agencies to patch or mitigate by October 2, 2025.',
'impact': {'brand_reputation_impact': ['Potential reputational damage to '
'Dassault Systèmes and affected '
'enterprises'],
'operational_impact': ['Potential disruption to manufacturing '
'operations',
'Quality management',
'Resource allocation',
'Warehouse management',
'Production equipment integration'],
'systems_affected': ['DELMIA Apriso (Releases 2020–2025)']},
'initial_access_broker': {'entry_point': ['Vulnerable SOAP Endpoints in '
'DELMIA Apriso'],
'high_value_targets': ['Manufacturing Operations '
'(Automotive, Aerospace, '
'Electronics, Industrial '
'Machinery)']},
'investigation_status': 'Ongoing (Exploitation observed; CISA mandate active)',
'post_incident_analysis': {'corrective_actions': ['Patch vulnerable versions '
'(2020–2025)',
'Enhance input validation '
'mechanisms',
'Implement exploit '
'mitigation controls'],
'root_causes': ['Deserialization of untrusted data '
'in DELMIA Apriso',
'Lack of input validation for SOAP '
'requests']},
'recommendations': ['Patch DELMIA Apriso to the latest version immediately.',
'Monitor network traffic for malicious SOAP requests '
'targeting DELMIA Apriso endpoints.',
'Implement network segmentation to isolate MOM/MES '
'systems.',
'Deploy WAF rules to block exploitation attempts via SOAP '
'endpoints.',
'Conduct threat hunting for indicators of compromise '
'(e.g., IP 156.244.33[.]162).',
'Follow CISA’s KEV catalog for timely vulnerability '
'management.'],
'references': [{'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'Catalog'},
{'date_accessed': '2025-09-03',
'source': 'SANS Internet Storm Center (ISC) - Johannes '
'Ullrich'},
{'date_accessed': '2025-06-02',
'source': 'Dassault Systèmes Security Advisory'},
{'source': 'Hybrid Analysis (Malicious Payload Report)'},
{'source': 'VirusTotal (Payload Analysis)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV Catalog '
'Inclusion',
'BOD 22-01 Mandate for '
'Federal Agencies']},
'response': {'communication_strategy': ['CISA advisory',
'SANS ISC disclosure by Johannes '
'Ullrich'],
'containment_measures': ['Apply security updates',
'Mitigate vulnerability',
'Discontinue use of DELMIA Apriso if '
'unpatched'],
'enhanced_monitoring': ['Monitor for malicious SOAP requests '
'from IP 156.244.33[.]162'],
'incident_response_plan_activated': ['CISA Binding Operational '
'Directive (BOD) 22-01'],
'remediation_measures': ['Patch management for DELMIA Apriso '
'(Releases 2020–2025)']},
'stakeholder_advisories': ['CISA Alert for Federal and Private Sector '
'Organizations'],
'title': 'Critical RCE Vulnerability (CVE-2025-5086) in DELMIA Apriso '
'Exploited by Hackers',
'type': ['Vulnerability Exploitation',
'Remote Code Execution (RCE)',
'Deserialization Attack'],
'vulnerability_exploited': 'CVE-2025-5086 (Deserialization of Untrusted Data)'}